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IN THE CLAIMS 

This listing of claims will replace all prior versions and listings of claims in the 
Application: 

LISTING OF CLAIMS: 

1 . (Amended) A method executing on a hardware computer for managing 
network access to a data communications network, said method comprising: 
maintaining a central database; 

maintaining at least one authentication, authorization and accounting 
(AAA) service at a point of presence (PoP) of the data communications network; 
and 

configuring a database associated with the AAA service from the central 
database, wherein said configuring includes publishing information from said 
central database on an information bus as at least one event, said AAA service 
subscribing to said event so as to receive said published information so as to 
thereby update its associated database; 

further comprising: 

receiving at a protocol gateway in the PoP a network access request from 
a user through a network access server (NAS); 

parsing the network access request for an identification of the user's 
domain; 

routing the network access request to the AAA service at the PoP if the 
user's domain corresponds to that of the PoP; 

looking up a domain identification entry corresponding to the user's 
domain in the AAA service's database if the user's domain does not correspond 
to that of the PoP; 
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proxvinq the network access request to an AAA service in the user's 
domain at an address and port as specified in the domain identification entry of 
the database if the user's domain does not correspond to that of the PoP . 

Claim 2 (Cancelled). 

3. (Amended) [A] The method executing on the hardware computer in 
accordance with claim [2] 1_, further comprising: 

obtaining an IP address for the user from the AAA service in the user's 
domain if the user's domain does not correspond to that of the PoP. 

4. (Twice Amended) [A] The method executing on the hardware computer in 
accordance with claim [2] 1_, further comprising: 

assigning an IP address to the user from a local DHCP pool of IP 
[address] addresses if the user's domain does not correspond to that of the PoP. 

5. (Amended) [A] The method executing on the hardware computer in 
accordance with claim [2] 1, further comprising: 

assigning an IP address to the user from an IP address pool identified in 
an access-accept packet received from the user's domain's AAA service if the 
user's domain does not correspond to that of the PoP. 

6. (Amended) A method executing on a hardware computer for managing 
network access to a data communications network, said method comprising: 

maintaining a central database; 

maintaining a plurality of authentication, authorization and accounting 
(AAA) services at a point of presence (PoP) of the data communication network; 
and 

configuring databases associated with the AAA services from the central 
database, wherein said configuring includes publishing information from said 
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central database on an information bus as at least one event, said AAA services 
subscribing to said event so as to receive said published information so as to 
thereby update their associated databases; 
further comprising: 

receiving at a protocol gateway in the PoP a network access request from 
a user through a network access server (NAS): 

parsing the network access request for an identification of the user's 
domain: 

routing the network access request to one of said plurality of AAA services 
at the PoP if the user's domain corresponds to that of the PoP while load 
balancing among said plurality of AAA services: 

looking up a domain identification entry corresponding to the user's 
domain in one of said plurality of AAA service's databases if the user's domain 
does not correspond to that of the PoP: 

proxying the network access request to an AAA service in the user's 
domain at an address and port as specified in the domain identification entry of 
the database if the user's domain does not correspond to that of the PoP . 

Claim 7 (Cancelled). 

8. (Amended) [A] The method executing on the hardware computer in 
accordance with claim [7] 6, further comprising: 

obtaining an IP address for the user from the AAA service in the user's 
domain if the user's domain does not correspond to that of the PoP. 

9. (Twice Amended) [A] J_he method executing on the hardware computer in 
accordance with claim [7] 6, further comprising: 

assigning an IP address to the user from a local DHCP pool of IP 
[address] addresses if the user's domain does not correspond to that of the PoP. 
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1 0. (Amended) [A] The method executing on the hardware computer in 
accordance with claim [7] 6, further comprising: 

assigning an IP address to the user from an IP address pool identified in 
an access-accept packet received from the user's domain's AAA service if the 
user's domain does not correspond to that of the PoP. 

1 1 . (Amended) A method executing on a hardware computer for managing 
network access to a data communications network, said method comprising: 

maintaining a central database, said central database containing access 
information for authentication, authorization and accounting services associated 
with domains of the data communications network; 

maintaining at a point of presence (PoP) of the data communications 
network at least one AAA service and at least one proxy service and at least one 
protocol gateway in communication with a network access server (NAS); 

periodically publishing information contained in said central database; 

subscribing at said AAA and said proxy service to information published 
from said central database; 

receiving at a protocol gateway in the PoP a network access request from 
a user through a network access server (NAS); 

parsing the network access request at the protocol gateway for an 
identification of the user's domain; 

routing the network access request to an AAA service at the PoP if the 
user's domain corresponds to that of the PoP; 

looking up access information within a domain identification entry 
corresponding to the user's domain in a database associated with the proxy 
server if the user's domain does not correspond to that of the PoP; and 

proxying the network access request to an AAA service in the user's 
domain at an address and port as specified in the access information if the user's 
domain does not correspond to that of the PoP. 
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12. (Amended) [A] The method executing on the hardware computer in 
accordance with claim 1 1 , further comprising: 

obtaining an IP address for the user from an AAA service in the user's 
domain if the user's domain does not correspond to that of the PoP. 

1 3. (Twice Amended) [A] The method executing on the hardware computer in 
accordance with claim 1 1 , further comprising: 

assigning an IP address to the user from a local DHCP pool of IP 
[address] addresses if the user's domain does not correspond to that of the PoP. 

14. (Amended) [A] The method executing on the hardware computer in 
accordance with claim 1 1 , further comprising: 

assigning an IP address to the user from an IP address pool identified in 
an access-accept packet received from the user's domain's AAA service if the 
user's domain does not correspond to that of the PoP. 

15. (Amended) A method executing on a hardware computer of managing 
network access requests to a data communications network, said method 
comprising: 

receiving at a protocol gateway in a point of presence (PoP) of the data 
communications network a network access request from a user through a 
network access server (NAS); 

parsing the network access request for an identification of the user's 
domain; 

routing the network access request to one of the plurality of authentication, 
authorization and accounting (AAA) services associated with the PoP if the 
user's domain corresponds to that of the PoP while load balancing among the 
plurality of AAA services; 
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looking up a domain identification entry corresponding to the user's 
domain in a database if the user's domain does not correspond to that of the 
PoP; 

proxying the network access request via one of a plurality of proxy 
services to an AAA service in the user's domain at an address and port as 
specified in the domain identification entry of the database if the user's domain 
does not correspond to that of the PoP while load balancing among the plurality 
of proxy services. 

16. (Amended) [A] The method executing on the hardware computer in 
accordance with claim 15, further comprising: 

obtaining an IP address for the user from the AAA service in the user's 
domain if the user's domain does not correspond to that of the PoP. 

17. (Twice Amended) [A] The method executing on the hardware computer in 
accordance with claim 15, further comprising: 

assigning an IP address to the user from a local DHCP pool of IP 
[address] addresses if the user's domain does not correspond to that of the PoP. 

18. (Amended) [A] The method executing on the hardware computer in 
accordance with claim 15, further comprising: 

assigning an IP address to the user from an IP address pool identified in 
an access-accept packet received from the user's domain's AAA service if the 
user's domain docs not correspond to that of the PoP. 

1 9. (Amended) A method executing on a hardware computer for managing 
network access to a data communications network, said method comprising: 

maintaining a central database, said central database containing access 
information for authentication, authorization and accounting (AAA) services 
associated with domains of the data communications network; 
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maintaining at a point of presence (PoP) of the data communications 
network a plurality of AAA services at least one AAA service and at least one 
proxy service and at least one protocol gateway in communication with a network 
access server (NAS); 

periodically publishing information contained in said central database; 

subscribing at said AAA and said proxy service to information published 
from said central database; 

receiving at a protocol gateway in the PoP a network access request from 
a user through a network access server (NAS); 

parsing the network access request at the protocol gateway for an 
identification of the user's domain; 

routing the network access request to one of said plurality of AAA services 
at the PoP if the user's domain corresponds to that of the PoP while load 
balancing among said plurality of AAA services; 

looking up access information within a domain identification entry 
corresponding to the user's domain in a database associated with one of said 
plurality of proxy services if the user's domain does not correspond to that of the 
PoP while load balancing among said plurality of proxy services; and 

proxying the network access request to an AAA service in the user's 
domain at an address and port as specified in the access information if the user's 
domain does not correspond to that of the PoP. 

20. (Amended) [A] The method executing on the hardware computer in 
accordance with claim 19, further comprising: 

obtaining an IP address for the user from an AAA service in the user's 
domain if the user's domain does not correspond to that of the PoP. 

21. (Twice Amended) [A] The method executing on the hardware computer in 
accordance with claim 19, further comprising: 
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assigning an IP address to the user from a local DHCP pool of IP 
[address] addresses if the user's domain does not correspond to that of the PoP. 

22. (Amended) [A] The method executing on the hardware computer in 
accordance with claim 19, further comprising: 

assigning an IP address to the user from an IP address pool identified in 
an access-accept packet received from the user's domain's AAA service if the 
user's domain does not correspond to that of the PoP. 

23. (Amended) A method executing on a hardware computer of managing 
network access requests to a data communications network, said method 
comprising: 

receiving at a protocol gateway in a point of presence (PoP) of the data 
communications network a network access request from a user through a 
network access server (NAS); 

parsing the network access request for an identification of the user's 
domain; 

routing the network access request to an authentication, authorization and 
accounting (AAA) service associated with the PoP if the user's domain 
corresponds to that of the PoP; 

looking up a domain identification entry corresponding to the user's 
domain in a database if the user's domain does not correspond to that of the 
PoP; 

proxying the network access request to an AAA service in the user's 
domain at an address and port as specified in the domain identification entry of 
the database if the user's domain does not correspond to that of the PoP. 

24. (Amended) [A] The method executing on the hardware computer in 
accordance with claim 23, further comprising: 
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obtaining an IP address for the user from the AAA service in the user's 
domain if the user's domain does not correspond to that of the PoP. 

25. (Twice Amended) [A] The method executing on the hardware computer in 
accordance with claim 23, further comprising: 

assigning an IP address to the user from a local DHCP pool of IP 
[address] addresses if the user's domain does not correspond to that of the PoP. 

26. (Amended) [A] The method executing on the hardware computer in 
accordance with claim 23, further comprising: 

assigning an IP address to the user from an IP address pool identified in 
an access-accept packet received from the user's domain's AAA service if the 
user's domain does not correspond to that of the PoP. 

27. (Amended) A hardware system for data communications network access 
management, comprising: 

a central database containing information identifying access information 
for authentication, authorization and accounting (AAA) services associated with 
domains of the data communications network; 

a publisher, said publisher publishing information from said central 
database to subscribers over an information bus; 

a point of presence (PoP) on the data communications network, said PoP 
including a protocol gateway in communication with at least one network access 
server (NAS); 

an AAA service associated with said PoP and in communication with said 
protocol gateway, said AAA service subscribing to information published by said 
publisher; and 

a proxy service associated with the PoP and in communication with said 
protocol gateway, said proxy service subscribing to information published by said 
publisher, said protocol gateway receiving network access requests from users 
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over the NAS, parsing the requests for domain identification and routing the 
requests for domains other than those associated with the PoP to the proxy 
service; 

said proxy service routing network access requests to AAA services in 
remote domains in accordance with said access information. 

28. (Twice Amended) [A] The hardware system in accordance with claim 27, 
further comprising: 

an AAA database associated with said AAA service; and a proxy database 
associated with said proxy service; 

said AAA database populated at instantiation of said AAA service by 
receiving information published by said publisher from said central database; 

said proxy database populated at instantiation of said proxy service by 
receiving information published by said publisher from said central database. 

29. (Amended) A hardware system for data communications network access 
management, comprising: 

a central database containing information identifying access information 
for authentication, authorization and accounting (AAA) services associated with 
domains of the data communications network; 

a publisher, said publisher publishing information from said central 
database to subscribers over an information bus; 

a point of presence (PoP) on the data communications network; 

said PoP including a protocol gateway in communication with at least one 
network access server (NAS); 

a plurality of AAA services associated with said PoP and in 
communication with said protocol gateway; 

said AAA services subscribing to information published by said publisher; 

and 
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a plurality of proxy services associated with said PoP and in 
communication with said protocol gateway, said proxy services subscribing to 
information published by said publisher; 

said protocol gateway receiving network access requests from users over 
the NAS, parsing the requests for domain identification and routing the requests 
for domains other than those associated with the PoP to one of said plurality of 
proxy services while load balancing among them; 

said proxy service routing network access requests to AAA services in 
remote domains in accordance with said access information. 

30. (Twice Amended) [A] The hardware system in accordance with claim 29, 
further comprising: 

a plurality of AAA databases associated with said respective AAA 
services; and 

a plurality of proxy databases associated with said respective proxy 
services; 

said AAA databases populated at instantiation of said respective AAA 
services by receiving information published by said publisher from said central 
database; 

said proxy databases populated at instantiation of said respective proxy 
services by receiving information published by said publisher from said central 
database. 

31. (New Amended) A method executing on a hardware computer for 
managing network access to a data communications network said method 
comprising: 

maintaining a central database coupled to the data communications 
network; 

maintaining at least a first authentication, authorization and accounting 
(AAA) service at a first point of presence (PoP) of the data communications 
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network and second AAA service at a second PoP of the data communications 
network: 

configuring a database associated with the first AAA service from the 
central database by transporting information from the central database over the 
data communications network to the database associated with the first AAA 
service: and 

configuring a database associated with the second AAA service from the 
central database by transporting information from the central database over the 
data communications network to the database associated with the second AAA 
service: 

further comprising: 

receiving at a protocol gateway in the first PoP a network access request 
from a user through network access server (NAS); 

parsing the network access request for an identification of the user's 
domain: 

routing the network access request to the first AAA service at the first PoP 
if the user's domain corresponds to that of the first PoP: 

looking up a domain identification entry corresponding to the user's 
domain in the first AAA service's database if the user's domain does not 
correspond to that of the first PoP: 

proxying the network access request to an AAA service in the user's 
domain at an address and port as specified in the domain identification entry of 
the database if the user's domain does not correspond to that of the first PoP. 

32. (New Amended) The method executing on the hardware computer of 
claim 31 further comprising: 

periodically updating the database associated with the first AAA service 
from the central database by transporting information from the central database 
over the data communications network to the database associated with the first 
AAA service. 
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33. (New Amended) The method executing on the hardware computer of 
claim 32 further comprising: 

periodically updating the database associated with the second AAA 
service from the central database by transporting information from the central 
database over the data communications network to the database associated with 
the second AAA service. 

Claim 34 (Cancelled). 

35. (New Amended) The method executing on the hardware computer of 
claim 31 further comprising: 

obtaining an IP address for the user from the AAA service in the user's 
domain if the user's domain does not correspond to that of the first PoP. 

36. (New Amended) The method executing on the hardware computer of 
claim 31 further comprising: 

assigning an IP address to the user from a local DHCP pool of IP 
addresses if the user's domain does not correspond to that of the first PoP. 

37. (New Amended) The method executing on the hardware computer of 
claim 31 , further comprising: 

assigning an IP address to the user from an IP address pool identified in 
an access-accept packet received from the user's domain's AAA service if the 
user's domain does not correspond to that of the first PoP. 

38. (New Amended) A method executing on a hardware computer for 
managing network access to a data communications network, said method 
comprising: 
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maintaininq a central database coupled to the data communications 
network: 

maintaining a plurality of first authentication, authorization and accounting 
(AAA) services at a first point of presence (PoP) of the data communications 
network and a second AAA service at a second PoP of the data communications 
network: 

configuring one or more databases associated with the first AAA services 
from the central database by transporting information from the central database 
over the data communications network to the database(s) associated with the 
first AAA services: and 

configuring a database associated with the second AAA service from the 
central database by transporting information from the central database over the 
data communications network to the database associated with the second AAA 
service: 

further comprising: 

receiving at a protocol gateway in the first PoP a network access request 
from a user through a network access server (NAS); 

parsing the network access request for an identification of the user's 
domain: 

routing the network access request to one of said plurality of first AAA 
services at the first PoP if the user's domain corresponds to that of the first PoP 
while load balancing among said plurality of first AAA services: 

looking up a domain identification entry corresponding to the user's 
domain in one of said plurality of first AAA service's database(s) if the user's 
domain does not correspond to that of the first PoP; 

proxying the network access request to an AAA service in the user's 
domain at an address and port as specified in the domain identification entry of 
the database if the user's domain does not correspond to that of the first PoP. 

Claim 39 (Cancelled). 
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40. (New Amended) The method executing on the hardware computer of 
claim 38 further comprising: 

obtaining an IP address for the user from the AAA service in the user's 
domain if the user's domain does not correspond to that of the first PoP. 

41. (New Amended) The method executing on the hardware computer of 
claim 38, further comprising: 

assigning an IP address to the user from a local DHCP pool of IP 
addresses if the user's domain does not correspond to that of the first PoP. 

42. (New Amended) The method executing on the hardware computer of 
claim 38 further comprising: 

assigning an IP address to the user from an IP address pool identified in 
an access-accept packet received from the user's domain's AAA service if the 
user's domain does not correspond to that of the first PoP. 

43. (New Amended) A method executing on a hardware computer for 
managing network access to a data communications network, said method 
comprising: 

maintaining a central database coupled to the data communications 
network: 

said central database containing access information for authentication, 
authorization and accounting (AAA)services associated with domains of the data 
communications network: 

maintaining at a first point of presence (PoP)of the data communications 
network at least one first AAA service and at least one first proxy service and at 
least one first protocol gateway in communication with a network access server 
(NAS): 
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periodicallv transporting information contained in the central database 
from the central database, over the data communications network, to the first 
AAA service(s), the first proxy service(s) and the first protocol gatewav(s); 

receiving at a protocol gateway in the first PoP a network access request 
from a user through a network access server (NAS); 

parsing the network access request at the first protocol gateway for an 
identification of the user's domain: 

routing the network access request to an AAA service at the first PoP if 
the user's domain corresponds to that of the first PoP: 

looking up access information within a domain identification entry 
corresponding to the user's domain in a database associated with the first proxy 
server if the user's domain does not correspond to that of the first PoP: and 

proxying the network access request to an AAA service in the user's 
domain at an address and port as specified in the access information if the user's 
domain does not correspond to that of the first PoP. 

44. (New Amended) The method executing on the hardware computer of 
claim 43, further comprising: 

obtaining an IP address for the user from an AAA service in the user's 
domain if the user's domain does not correspond to that of the first PoP. 

45. (New Amended) The method executing on the hardware computer of 
claim 43, further comprising: 

assigning an IP address to the user from a local DHCP pool of IP 
addresses if the user's domain does not correspond to that of the first PoP. 

46. (New Amended) The method executing on the hardware computer of 
claim 43, further comprising: 
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assiqninq an IP address to the user from an IP address pool identified in 
an access-accept packet received from the user's domain's AAA service if the 
user's domain does not correspond to that of the first PoP. 

47. (New Amended) A method executing on a hardware computer for 
managing network access requests to a data communications network, said 
method comprising: 

receiving at a protocol gateway in a first point of presence (PoP) of the 
data communications network a network access request from a user received 
through a network access server (NAS): 

parsing the network access request for an identification of the user's 
domain: 

routing the network access request to one of the plurality of authentication, 
authorization and accounting (AAA) services associated with the first PoP if the 
user's domain corresponds to that of the first PoP while load balancing among 
the plurality of AAA services: 

looking up a domain identification entry corresponding to the user's 
domain in a database associated with the one AAA if the user's domain does not 
correspond to that of the first PoP: 

proxving the network access request via one of a plurality of proxy 
services to an AAA service in the user's domain at an address and port as 
specified in the domain identification entry of the database if the user's domain 
does not correspond to that of the first PoP while load balancing among the 
plurality of proxy services. 

48. (New Amended) The method executing on the hardware computer of 
claim 47, further comprising: 

obtaining an IP address for the user from the AAA service in the user's 
domain if the user's domain does not correspond to that of the first PoP. 
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49. (New Amended) The method executing on the hardware computer of 
claim 47, further comprising 

assigning an IP address to the user from a local DHCP pool of IP 
addresses if the user's domain does not correspond to that of the first PoP. 

50. (New Amended) The method executing on the hardware computer of 
claim 47, further comprising: 

assigning an IP address to the user from an IP address pool identified in 
an access-accept packet received from the user's domain's AAA service if the 
user's domain does not correspond to that of the first PoP. 

51. (New Amended) A method executing on a hardware computer for 
managing network access to a data communications network, said method 
comprising: 

maintaining a central database, said central database containing access 
information for authentication, authorization and accounting services associated 
with domains of the data communications network: 

maintaining at a first point of presence (PoP) of the data communications 
network a plurality of AAA services at least one AAA service and at least one 
proxy service and at least one protocol gateway in communication with a network 
access server (NAS): 

periodically transmitting information contained in said central database 
over the data communications network to said AAA and said proxy service: 

receiving at a protocol gateway in the PoP a network access request from 
a user through a network access server (NAS) parsing the network access 
request at the protocol gateway for an identification of the user's domain: 

routing the network access request to one of said plurality of AAA services 
at the first PoP if the user's domain corresponds to that of the first PoP while load 
balancing among said plurality of AAA services: 
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lookinq up access information within a domain identification entry 
corresponding to the user's domain in a database associated with one of said 
plurality of proxy services if the user's domain does not correspond to that of the 
first PoP while load balancing among said plurality of proxy services: and 

proxying the network access request to an AAA service in the user's 
domain at an address arid port as specified in the access information if the user's 
domain does not correspond to that of the first PoP. 

52. (New Amended) The method executing on the hardware computer of 
claim 51 , further comprising: 

obtaining an IP address for the user from an AAA service in the user's 
domain if the user's domain does not correspond to that of the first PoP. 

53. (New Amended) The method executing on the hardware computer of 
claim 51 , further comprising: 

assigning an IP address to the user from a local DHCP pool of IP 
addresses if the user's domain does not correspond to that of the first PoP. 

54. (New Amended) The method executing on the hardware computer of 
claim 51 , further comprising: 

assigning an IP address to the user from an IP address pool identified in 
an access-accept packet received from the user's domain's AAA service if the 
user's domain does not correspond to that of the first PoP. 

55. (New Amended) A method executing on a hardware computer for 
managing network access requests to a data communications network, said 
method comprising: 

periodically transmitting updating information contained in a central 
database over the data communications network to an authentication, 
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authorization and accounting (AAA) service associated with a first point of 
presence (PoP) of the data communications network: 

receiving at a protocol gateway in the first point of presence (PoP) of the 
data communications network a network access request from a user received 
through a network access server (NAS): 

parsing the network access request for an identification of the user's 
domain: 

routing the network access request to the AAA service associated with the 
first PoP if the user's domain corresponds to that of the first PoP: 

looking up a domain identification entry corresponding to the user's 
domain in a database if the user's domain does not correspond to that of the first 
PoP: 

proxying the network access request to an AAA service in the user's 
domain at an address and port as specified in the domain identification entry of 
the database if the user's domain does not correspond to that of the first PoP. 

56. (New Amended) The method executing on the hardware computer of 
claim 55, further comprising: 

obtaining an IP address for the user from the AAA service in the user's 
domain if the user's domain does not correspond to that of the first PoP. 

57. (New Amended) The method executing on the hardware computer of 
claim 55, further comprising: 

assigning an IP address to the user from a local DHCP pool of IP 
addresses if the user's domain does not correspond to that of the first PoP. 

58. (New Amended) The method executing on the hardware computer of 
claim 55, further comprising: 
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assiqninq an IP address to the user from an IP address pool identified in 
an access-accept packet received from the user's domain's AAA service if the 
user's domain does not correspond to that of the first PoP. 

59. (New Amended) A hardware system for data communications network 
access management, comprising: 

a central database containing information identifying access information 
for authentication, authorization and accounting (AAA) services associated with 
domains of the data communications network: 

a first point of presence (PoP) on the data communications network, said 
first PoP including a protocol gateway in communication with at least one 
network access server (NAS): 

an AAA service associated with said first PoP and in communication with 
said protocol gateway and the data communications network: 

proxy service associated with the first PoP and in communication with said 
protocol gateway and the data communications network: 

a transmitter, said transmitter transmitting information from said central 
database to said AAA service at said first PoP and said proxy service at said first 
PoP over the data communications network: 

said protocol gateway receiving network access requests from users over 
the NAS, parsing the requests for domain identification and routing the requests 
for domains other than those associated with the first PoP to the proxy service, 

said proxy service routing network access requests to AAA services in 
remote domains in accordance with said access information. 

60. (New Amended) The hardware system of claim 59, further comprising: 
an AAA database associated with said AAA service at said first PoP; 

a proxy database associated with said proxy service at said first PoP: 
said AAA database populated at instantiation of said AAA service by 
receiving information transmitted said transmitter from said central database: 
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said proxy database populated at instantiation of said proxy service by 
receiving information transmitted by said transmitter from said database. 

61. (New Amended) A hardware system for data communications network 
access management, comprising: 

a central database containing information identifying access information 
for authentication, authorization and accounting (AAA) services associated with 
domains of the data communications network: 

a first point of presence (PoP) on the data communications network, said 
first PoP including a protocol gateway in communication with at least one 
network access server (NAS): 

a plurality of AAA services associated with said first PoP and in 
communication with said protocol gateway, said AAA services subscribing to 
information published by said publisher; 

a plurality of proxy services associated with said first PoP and in 
communication with said protocol gateway, said proxy services subscribing to 
information published by said publisher: and 

a transmitter, said transmitter transmitting information from said central 
database over the data communications network to said plurality of AAA services 
associated with said first PoP and to said plurality of proxy services associated 
with said first PoP; 

said protocol gateway receiving network access requests from users over 
the NAS, parsing the requests for domain identification and routing the requests 
for domains other than those associated with the first PoP to one of said plurality 
of proxy services while load balancing among them; 

said proxy service routing network access requests to AAA services in 
remote domains in accordance with said access information. 



62. 



(New Amended) The hardware system of claim 61 , further comprising 
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a plurality of AAA databases associated with said respective AAA services 
at said first PoP: and 

a plurality of proxy databases associated with said respective proxy 
services at said first PoP; 

said AAA databases populated at instantiation of said respective AAA 
services by receiving information transmitted by said transmitter from said central 
database: 

said proxy databases populated at instantiation of said respective proxy 
services by receiving information transmitted by said transmitter from said central 
database. 



63. (New Amended) A hardware system for managing access to a data 
communications network, said system comprising; 

means for communicating with a central database via the data 
communications network, the central database containing information identifying 
access information for authentication, authorization and accounting (AAA) 
services associated with domains of the data communications network: 

means for communicating with a local AAA service associated with a local 
Point of Presence (PoP): 

means for communicating with a remote AAA service via a local proxy 
service: 

means for instantiating the local AAA service from the central database: 

means for reaching a network access request from a user through a local 
network access server (NAS): 

means for checking the network access request to determine an 
identification of the user's domain: 

means for routing the network access request to the local AAA service if 
the users domain corresponds to that of the local PoP: 



U.S. Application No.: 10/679,203 Attorney Docket No.: 1004-229 

-25- 

means for looking up a domain identification entry corresponding to the 
user's domain in the local AAA service's database if the user's domain does not 
correspond to that of the local PoP; and 

means for proxying the network access request to a remote AAA service 
in the user's domain at an address and port as specified in the domain 
identification entry of the database if the user's domain does not correspond to 
that of the local PoP. 

64. (New Amended) A hardware system for managing access to a data 
communications network, said system comprising: 

means for communicating with a central database via the data 
communications network, the central database containing information identifying 
access information for authentication, authorization and accounting (AAA) 
services associated with domains of the data communications network: 

means for communicating with a plurality of local AAA services associated 
with a local Point of Presence (PoP): 

means for communicating with a plurality of local proxy services 
associated with the local PoP: 

means for communicating with a remote AAA service via a local proxy 
service: means for instantiating the local AAA services from the central database: 

means for instantiating the local proxy services from the central database: 

means for receiving a network access request from a user through local 
network access server (NAS): 

means for checking the network access request to determine an 
identification of the user's domain: 

means for routing the network access request to the local AAA service if 
the user's domain corresponds to that of the local PoP: 

means for looking up a domain identification entry corresponding to the 
user's domain with the local AAA services if the user's domain does not 
correspond to that of the local PoP: 
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means for proxvinq the network access request to a remote AAA service 
in the user's domain at an address and port as specified in the domain 
identification entry of the local AAA services' database if the user's domain does 
not correspond to that of the local PoP; and 

means for receiving network access requests from users over a network 
access server (NAS), parsing the requests for domain identification and routing 
the requests for domains other than those associated with the first PoP to one of 
said plurality of proxy services while load balancing among them: 

said proxy service routing network access requests to the remote AAA 
service in accordance with said access information. 

65. (New Amended) A method executing on a hardware computer for 
accounting for use of a data communications network, said method comprising: 

means for communicating with a central database via the data 
communications network, the central database containing information identifying 
access information for authentication, authorization and accounting (AAA) 
services associated with domains of the data communications network: 

means for communicating with at least one local AAA service associated 
with a local Point of Presence (PoP): 

means for communicating with a remote AAA service: 

means for instantiating the local AAA services from the central database: 

means for receiving a network access request from a user through a local 
network access server (NAS): 

means for checking the network access request to determine an 
identification of the user's domain: 

means for routing accounting information associated with the user to the 
local AAA service if the user's domain corresponds to that of the local PoP: 

means for looking up a domain identification entry corresponding to the 
user's domain with the local AAA services if the user's domain does not 
correspond to that of the local PoP: 
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means for routing the accounting information to a remote AAA service in 
the user's domain at an address and port as specified in the domain identification 
entry of the local AAA services' database if the user's domain does not 
correspond to that of the local PoP. 

66. (New Amended) A method executing on a hardware computer for 
managing network access accounting in a data communications network, said 
method comprising: 

maintaining a central database coupled to the data communications 
network: 

maintaining at least a local authentication, authorization and accounting 
(AAA) service at a local point of presence (PoP) of the data communications 
network: 

configuring a database associated with the local AAA service from the 
central database by transporting information from the central database over the 
data communications network to the database associated with the local AAA 
service: 

receiving accounting information from a network access server (NAS) 
responsive to utilization of the data communications network by a user coupled to 
the data communications network through the NAS: 

forwarding said accounting information to the local AAA service if the 
user's domain corresponds to that of the local PoP: and 

forwarding said accounting information to a remote AAA service in the 
user's domain at an address and port as specified in the domain identification 
entry of the local AAA service's database if the user's domain does not 
correspond to that of the local PoP. 



67. (New Amended) A hardware apparatus for managing network access 
accounting in a data communications network, said apparatus comprising: 
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means for maintaining a central database coupled to the data 
communications network: 

means for maintaining at least a local authentication, authorization and 
accounting (AAA) service at a local point of presence (PoP) of the data 
communications network: 

means for configuring a database associated with the local AAA service 
from the central database by transporting information from the central database 
over the data communications network to the database associated with the local 
AAA service: 

means for receiving accounting information from a network access server 
(NAS) responsive to utilization of the data communications network by a user 
coupled to the data communications network through the NAS: 

means for forwarding said accounting information to the local AAA service 
if the user's domain corresponds to that of the local PoP: and 

means for forwarding said accounting information to a remote AAA service 
in the user's domain at an address and port as specified in the domain 
identification entry of the local AAA service's database if the user's domain does 
not correspond to that of the local PoP. 

68. (New Amended) A hardware system for managing network access to a 
data communications network, said method comprising: 
a central database coupled to the data network: 

at least a first authentication, authorization and accounting (AAA) service 
at a first point of presence (PoP) of the data communications network and a 
second AAA service at a second PoP of the data communications network: and 

a database configurer configuring a database associated with the first 
AAA service from the central database by transporting information from the 
central database over the data communications network to the database 
associated with the first AAA service and configuring a database associated with 
the second AAA service from the central database by transporting information 
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from the central database over the data communications network to the database 
associated with the second AAA service 

a protocol gateway receiving network access requests from users over the 
NAS, parsing the requests for domain identification and routing the requests for 
domains other than those associated with the first PoP to the proxy service, 

said proxy service routing network access requests to AAA services in 
remote domains in accordance with said access information. 

69. (New Amended) A hardware apparatus for managing network access to a 
data communications network, said method comprising: 

means for maintaining a central database coupled to the data 
communications network: 

means for maintaining at least a first authentication, authorization and 
accounting (AAA) service at a first point of presence (PoP) of the data 
communications network and a second AAA service at a second PoP of the data 
communications network: 

means for configuring a database associated with the first AAA service 
from the central database by transporting information from the central database 
over the data communications network to the database associated with the first 
AAA service: and 

means for configuring a database associated with the second AAA service 
from the central database by transporting information from the central database 
over the data communications network to the database associated with the 
second AAA service 

means for receiving accounting information from a network access server 
(NAS) responsive to utilization of the data communications network by a user 
coupled to the data communications network through the NAS: 

means for forwarding said accounting information to a local AAA service if 
the user's domain corresponds to that of the local PoP: and 
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means for forwarding said accounting information to a remote AAA service 
in the user's domain at an address and port as specified in the domain 
identification entry of the local AAA service's database if the user's domain does 
not correspond to that of the local PoP. 

70. (New Amended) A hardware system for managing network access to a 
data communications network, said method comprising: 

a central database coupled to the data communications network: 

a plurality of first authentication, authorization and accounting (AAA) 
services disposed at a first point of presence (PoP) of the data communications 
network and a second AAA service disposed at a second PoP of the data 
communications network: 

a first database configurer configuring one or more databases associated 
with the first AAA services from the central database by transporting information 
from the central database over the data communications network to the 
database(s) associated with the first AAA services: and 

a second database configurer configuring a database associated with the 
second AAA service from the central database by transporting information from 
the central database over the data communications network to the database 
associated with the second AAA service 

a protocol gateway receiving network access reguests from users over the 
NAS, parsing the requests for domain identification and routing the reguests for 
domains other than those associated with the first PoP to the proxy service, 

said proxy service routing network access reguests to AAA services in 
remote domains in accordance with said access information. 

71. (New Amended) A hardware apparatus for managing network access to a 
data communications network, said method comprising: 

means for maintaining a central database coupled to the data 
communications network: 
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means for maintaining a plurality of first authentication, authorization and 
accounting (AAA) service at a first point of presence (PoP)of the data 
communications network and a second AAA service at a second PoP of the data 
communications network: and 

means for configuring one or more databases associated with the first 
AAA services from the central database by transporting information from the 
central database over the data communications network to the database(s) 
associated with the first AAA services: and 

means for configuring a database associated with the second AAA service 
from the central database by transporting information from the central database 
over the data communications network to the database associated with the 
second AAA service 

means for receiving accounting information from a network access server 
(NAS) responsive to utilization of the data communications network by a user 
coupled to the data communications network through the NAS; 

means for forwarding said accounting information to a local AAA service if 
the user's domain corresponds to that of the local PoP: and 

means for forwarding said accounting information to a remote AAA service 
in the user's domain at an address and port as specified in the domain 
identification entry of the local AAA service's database if the user's domain does 
not correspond to that of the local PoP. 

72. (New Amended) A hardware system for managing network access to a 

data communications network, said method comprising: 

a central database coupled to the data communications network: 
a plurality of first authentication, authorization and accounting (AAA) 

services disposed at a first point of presence (PoP) of the data communications 

network and a second AAA service disposed at a second PoP of the data 

communications network: and 
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a database configurer configuring one or more databases associated with 
the first AAA services from the central database by transporting information from 
the central database over the data communications network to the database(s) 
associated with the first AAA services and configuring a database associated 
with the second AAA service from the central database by transporting 
information from the central database over the data communications network to 
the database associated with the second AAA service. 

a protocol gateway receiving network access requests from users over the 
NAS, parsing the requests for domain identification and routing the requests for 
domains other than those associated with the first PoP to the proxy service, 

said proxy service routing network access requests to AAA services in 
remote domains in accordance with said access information. 

73. (New Amended) A hardware apparatus for managing network access to a 
data communications network, said method comprising: 

means for maintaining a central database coupled to the data 
communications network: 

means for maintaining plurality of first authentication, authorization and 
accounting (AAA) service at a first point of presence (PoP) of the data 
communications network and a second AAA service at a second PoP of the data 
communications network: and 

means for configuring one or more databases associated with the first 
AAA services from the central database by transporting information from the 
central database over the data communications network to database(s) 
associated with the first AAA services and for configuring a database associated 
with the second AAA service from the central database by transporting 
information from the central database over the data communications network to 
the database associated with the second AAA service 
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means for receiving accounting information from a network access server 
(NAS) responsive to utilization of the data communications network by a user 
coupled to the data communications network through the NAS: 

means for forwarding said accounting information to a local AAA service if 
the user's domain corresponds to that of the local PoP; and 

means for forwarding said accounting information to a remote AAA service 
in the user's domain at an address and port as specified in the domain 
identification entry of the local AAA service's database if the user's domain does 
not correspond to that of the local PoP. 



